diff --git a/docker-bake.hcl b/docker-bake.hcl new file mode 100644 index 000000000..e24b4dfb3 --- /dev/null +++ b/docker-bake.hcl @@ -0,0 +1,218 @@ +group "all" { + targets = [ + "bitcoin-28", + "bitcoin-27", + "bitcoin-26", + "v0-21-1", + "v0-20-0", + "v0-19-2", + "v0-17-0", + "v0-16-1", + "bitcoin-unknown-message", + "bitcoin-invalid-blocks", + "bitcoin-50-orphans", + "bitcoin-no-mp-trim", + "bitcoin-disabled-opcodes", + "bitcoin-5k-inv" + ] +} + +group "maintained" { + targets = [ + "bitcoin-28", + "bitcoin-27", + "bitcoin-26" + ] +} + +group "practice" { + targets = [ + "bitcoin-unknown-message", + "bitcoin-invalid-blocks", + "bitcoin-50-orphans", + "bitcoin-no-mp-trim", + "bitcoin-disabled-opcodes", + "bitcoin-5k-inv" + ] +} + +group "vulnerable" { + targets = [ + "v0-21-1", + "v0-20-0", + "v0-19-2", + "v0-17-0", + "v0-16-1", + ] +} + +target "maintained-base" { + dockerfile = "./Dockerfile" + context = "./resources/images/bitcoin" + args = { + REPO = "bitcoin" + BUILD_ARGS = "--disable-tests --without-gui --disable-bench --disable-fuzz-binary --enable-suppress-external-warnings " + } + platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7"] +} + +target "bitcoin-28" { + inherits = ["maintained-base"] + tags = ["bitcoindevproject/bitcoin:28.0"] + args = { + COMMIT_SHA = "110183746150428e6385880c79f8c5733b1361ba" + } +} + +target "bitcoin-27" { + inherits = ["maintained-base"] + tags = ["bitcoindevproject/bitcoin:27.2"] + args = { + COMMIT_SHA = "bf03c458e994abab9be85486ed8a6d8813313579" + } +} + +target "bitcoin-26" { + inherits = ["maintained-base"] + tags = ["bitcoindevproject/bitcoin:26.2"] + args = { + COMMIT_SHA = "7b7041019ba5e7df7bde1416aa6916414a04f3db" + } +} + +target "practice-base" { + dockerfile = "./Dockerfile" + context = "./resources/images/bitcoin/insecure" + contexts = { + bitcoin-src = "." + } + args = { + ALPINE_VERSION = "3.20" + BITCOIN_VERSION = "28.1.1" + EXTRA_PACKAGES = "sqlite-dev" + EXTRA_RUNTIME_PACKAGES = "" + REPO = "willcl-ark/bitcoin" + } + platforms = ["linux/amd64", "linux/armhf"] +} + +target "bitcoin-unknown-message" { + inherits = ["practice-base"] + tags = ["bitcoindevproject/bitcoin:99.0.0-unknown-message"] + args = { + COMMIT_SHA = "ae999611026e941eca5c0b61f22012c3b3f3d8dc" + } +} + +target "bitcoin-invalid-blocks" { + inherits = ["practice-base"] + tags = ["bitcoindevproject/bitcoin:98.0.0-invalid-blocks"] + args = { + COMMIT_SHA = "9713324368e5a966ec330389a533ae8ad7a0ea8f" + } +} + +target "bitcoin-50-orphans" { + inherits = ["practice-base"] + tags = ["bitcoindevproject/bitcoin:97.0.0-50-orphans"] + args = { + COMMIT_SHA = "cbcb308eb29621c0db3a105e1a1c1788fb0dab6b" + } +} + +target "bitcoin-no-mp-trim" { + inherits = ["practice-base"] + tags = ["bitcoindevproject/bitcoin:96.0.0-no-mp-trim"] + args = { + COMMIT_SHA = "a3a15a9a06dd541d1dafba068c00eedf07e1d5f8" + } +} + +target "bitcoin-disabled-opcodes" { + inherits = ["practice-base"] + tags = ["bitcoindevproject/bitcoin:95.0.0-disabled-opcodes"] + args = { + COMMIT_SHA = "5bdb8c52a8612cac9aa928c84a499dd701542b2a" + } +} + +target "bitcoin-5k-inv" { + inherits = ["practice-base"] + tags = ["bitcoindevproject/bitcoin:94.0.0-5k-inv"] + args = { + COMMIT_SHA = "e70e610e07eea3aeb0c49ae0bd9f4049ffc1b88c" + } +} + +target "CVE-base" { + dockerfile = "./Dockerfile" + context = "./resources/images/bitcoin/insecure" + contexts = { + bitcoin-src = "." + } + platforms = ["linux/amd64", "linux/armhf"] + args = { + REPO = "josibake/bitcoin" + } +} + +target "v0-16-1" { + inherits = ["CVE-base"] + tags = ["bitcoindevproject/bitcoin:0.16.1"] + args = { + ALPINE_VERSION = "3.7" + BITCOIN_VERSION = "0.16.1" + COMMIT_SHA = "dc94c00e58c60412a4e1a540abdf0b56093179e8" + EXTRA_PACKAGES = "protobuf-dev libressl-dev" + EXTRA_RUNTIME_PACKAGES = "boost boost-program_options libressl" + PRE_CONFIGURE_COMMANDS = "sed -i '/AC_PREREQ/a\\AR_FLAGS=cr' src/univalue/configure.ac && sed -i '/AX_PROG_CC_FOR_BUILD/a\\AR_FLAGS=cr' src/secp256k1/configure.ac && sed -i 's:sys/fcntl.h:fcntl.h:' src/compat.h" + } +} + +target "v0-17-0" { + inherits = ["CVE-base"] + tags = ["bitcoindevproject/bitcoin:0.17.0"] + args = { + ALPINE_VERSION = "3.9" + BITCOIN_VERSION = "0.17.0" + COMMIT_SHA = "f6b2db49a707e7ad433d958aee25ce561c66521a" + EXTRA_PACKAGES = "protobuf-dev libressl-dev" + EXTRA_RUNTIME_PACKAGES = "boost boost-program_options libressl sqlite-dev" + } +} + +target "v0-19-2" { + inherits = ["CVE-base"] + tags = ["bitcoindevproject/bitcoin:0.19.2"] + args = { + ALPINE_VERSION = "3.12.12" + BITCOIN_VERSION = "0.19.2" + COMMIT_SHA = "e20f83eb5466a7d68227af14a9d0cf66fb520ffc" + EXTRA_PACKAGES = "sqlite-dev libressl-dev" + EXTRA_RUNTIME_PACKAGES = "boost boost-program_options libressl sqlite-dev" + } +} + +target "v0-20-0" { + inherits = ["CVE-base"] + tags = ["bitcoindevproject/bitcoin:0.20.0"] + args = { + ALPINE_VERSION = "3.12.12" + BITCOIN_VERSION = "0.20.0" + COMMIT_SHA = "0bbff8feff0acf1693dfe41184d9a4fd52001d3f" + EXTRA_PACKAGES = "sqlite-dev miniupnpc-dev" + EXTRA_RUNTIME_PACKAGES = "boost-filesystem miniupnpc-dev sqlite-dev" + } +} + +target "v0-21-1" { + inherits = ["CVE-base"] + tags = ["bitcoindevproject/bitcoin:0.21.1"] + args = { + ALPINE_VERSION = "3.17" + BITCOIN_VERSION = "0.21.1" + COMMIT_SHA = "e0a22f14c15b4877ef6221f9ee2dfe510092d734" + EXTRA_PACKAGES = "sqlite-dev" + EXTRA_RUNTIME_PACKAGES = "boost-filesystem sqlite-dev" + } +} diff --git a/docs/developer-notes.md b/docs/developer-notes.md index 061336d9a..a6de1b9aa 100644 --- a/docs/developer-notes.md +++ b/docs/developer-notes.md @@ -72,3 +72,20 @@ python3 -m build # Upload to Pypi python3 -m twine upload dist/* ``` + +## Building docker images + +The Bitcoin Core docker images used by warnet are specified in the *docker-bake.hcl* file. +This uses the (experimental) `bake` build functionality of docker buildx. +We use [HCL language](https://github.com/hashicorp/hcl) in the declaration file itself. +See the `bake` [documentation](https://docs.docker.com/build/bake/) for more information on specifications, and how to e.g. override arguments. + +In order to build (or "bake") a certain image, find the image's target (name) in the *docker-bake.hcl* file, and then run `docker buildx bake `. + +```bash +# build the dummy image that will crash on 5k invs +docker buildx bake bitcoin-5k-inv + +# build the same image, but set platform to only linux/amd64 +docker buildx bake bitcoin-5k-inv --set bitcoin-5k-inv.platform=linux/amd64 +``` diff --git a/resources/images/bitcoin/insecure/Dockerfile b/resources/images/bitcoin/insecure/Dockerfile index 6f59a4c2e..ce6699872 100644 --- a/resources/images/bitcoin/insecure/Dockerfile +++ b/resources/images/bitcoin/insecure/Dockerfile @@ -48,7 +48,12 @@ RUN mkdir -p ${BERKELEYDB_PREFIX} WORKDIR /${BERKELEYDB_VERSION}/build_unix -RUN ../dist/configure --enable-cxx --disable-shared --with-pic --prefix=${BERKELEYDB_PREFIX} +ARG TARGETPLATFORM +RUN if [ "$TARGETPLATFORM" = "linux/arm64" ]; then \ + ../dist/configure --enable-cxx --disable-shared --with-pic --prefix=${BERKELEYDB_PREFIX} --build=aarch64-unknown-linux-gnu; \ +else \ + ../dist/configure --enable-cxx --disable-shared --with-pic --prefix=${BERKELEYDB_PREFIX}; \ +fi RUN make -j$(nproc) RUN make install RUN rm -rf ${BERKELEYDB_PREFIX}/docs diff --git a/resources/images/bitcoin/insecure/build.md b/resources/images/bitcoin/insecure/build.md deleted file mode 100644 index a824a8316..000000000 --- a/resources/images/bitcoin/insecure/build.md +++ /dev/null @@ -1,198 +0,0 @@ -# Historic CVE images - -These images are for old versions of Bitcoin Core with known CVEs. These images have signet backported -and the addrman and isroutable patches applied. - -# Build incantations - -Run from top-level of project - -## v0.21.1 - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.17" \ - --build-arg BITCOIN_VERSION="0.21.1" \ - --build-arg EXTRA_PACKAGES="sqlite-dev" \ - --build-arg EXTRA_RUNTIME_PACKAGES="boost-filesystem sqlite-dev" \ - --build-arg REPO="josibake/bitcoin" \ - --build-arg COMMIT_SHA="e0a22f14c15b4877ef6221f9ee2dfe510092d734" \ - --tag bitcoindevproject/bitcoin:0.21.1 \ - resources/images/bitcoin/insecure -``` - -## v0.20.0 - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.12.12" \ - --build-arg BITCOIN_VERSION="0.20.0" \ - --build-arg EXTRA_PACKAGES="sqlite-dev miniupnpc" \ - --build-arg EXTRA_RUNTIME_PACKAGES="boost-filesystem sqlite-dev" \ - --build-arg REPO="josibake/bitcoin" \ - --build-arg COMMIT_SHA="0bbff8feff0acf1693dfe41184d9a4fd52001d3f" \ - --tag bitcoindevproject/bitcoin:0.20.0 \ - resources/images/bitcoin/insecure -``` - -## v0.19.2 - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.12.12" \ - --build-arg BITCOIN_VERSION="0.19.2" \ - --build-arg EXTRA_PACKAGES="sqlite-dev libressl-dev" \ - --build-arg EXTRA_RUNTIME_PACKAGES="boost-chrono boost-filesystem libressl sqlite-dev" \ - --build-arg REPO="josibake/bitcoin" \ - --build-arg COMMIT_SHA="e20f83eb5466a7d68227af14a9d0cf66fb520ffc" \ - --tag bitcoindevproject/bitcoin:0.19.2 \ - resources/images/bitcoin/insecure -``` - -## v0.17.0 - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.9" \ - --build-arg BITCOIN_VERSION="0.17.0" \ - --build-arg EXTRA_PACKAGES="protobuf-dev libressl-dev" \ - --build-arg EXTRA_RUNTIME_PACKAGES="boost boost-program_options libressl sqlite-dev" \ - --build-arg REPO="josibake/bitcoin" \ - --build-arg COMMIT_SHA="f6b2db49a707e7ad433d958aee25ce561c66521a" \ - --tag bitcoindevproject/bitcoin:0.17.0 \ - resources/images/bitcoin/insecure -``` - -## v0.16.1 - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.7" \ - --build-arg BITCOIN_VERSION="0.16.1" \ - --build-arg EXTRA_PACKAGES="protobuf-dev libressl-dev" \ - --build-arg PRE_CONFIGURE_COMMANDS="sed -i '/AC_PREREQ/a\AR_FLAGS=cr' src/univalue/configure.ac && sed -i '/AX_PROG_CC_FOR_BUILD/a\AR_FLAGS=cr' src/secp256k1/configure.ac && sed -i 's:sys/fcntl.h:fcntl.h:' src/compat.h" \ - --build-arg EXTRA_RUNTIME_PACKAGES="boost boost-program_options libressl" \ - --build-arg REPO="josibake/bitcoin" \ - --build-arg COMMIT_SHA="dc94c00e58c60412a4e1a540abdf0b56093179e8" \ - --tag bitcoindevproject/bitcoin:0.16.1 \ - resources/images/bitcoin/insecure -``` - -## unknown p2p message crash - -Will crash when sent an "unknown" P2P message is received from a node using protocol version >= 70016 - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.20" \ - --build-arg BITCOIN_VERSION="28.1.1" \ - --build-arg EXTRA_PACKAGES="sqlite-dev" \ - --build-arg EXTRA_RUNTIME_PACKAGES="" \ - --build-arg REPO="willcl-ark/bitcoin" \ - --build-arg COMMIT_SHA="df1768325cca49bb867b7919675ae06c964b5ffa" \ - --tag bitcoindevproject/bitcoin:99.1.0-unknown-message \ - resources/images/bitcoin/insecure -``` - -## invalid blocks crash - -Will crash when sent an invalid block - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.20" \ - --build-arg BITCOIN_VERSION="28.1.1" \ - --build-arg EXTRA_PACKAGES="sqlite-dev" \ - --build-arg EXTRA_RUNTIME_PACKAGES="" \ - --build-arg REPO="willcl-ark/bitcoin" \ - --build-arg COMMIT_SHA="f72bc595fc762c7afcbd156f4f84bf48f7ff4fdb" \ - --tag bitcoindevproject/bitcoin:99.1.0-invalid-blocks \ - resources/images/bitcoin/insecure -``` - -## too many orphans crash - -Will crash when we have 50 orphans in the orphanage - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.20" \ - --build-arg BITCOIN_VERSION="28.1.1" \ - --build-arg EXTRA_PACKAGES="sqlite-dev" \ - --build-arg EXTRA_RUNTIME_PACKAGES="" \ - --build-arg REPO="willcl-ark/bitcoin" \ - --build-arg COMMIT_SHA="38aff9d695f5aa187fc3b75f08228248963372ee" \ - --tag bitcoindevproject/bitcoin:99.1.0-50-orphans \ - resources/images/bitcoin/insecure -``` - -## full mempool crash - -Will crash when we would normally trim the mempool size. -Mempool set to 50MB by default. - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.20" \ - --build-arg BITCOIN_VERSION="28.1.1" \ - --build-arg EXTRA_PACKAGES="sqlite-dev" \ - --build-arg EXTRA_RUNTIME_PACKAGES="" \ - --build-arg REPO="willcl-ark/bitcoin" \ - --build-arg COMMIT_SHA="d30f8112611c4732ccb01f0a0216eb7ed10e04a7" \ - --tag bitcoindevproject/bitcoin:99.1.0-no-mp-trim\ - resources/images/bitcoin/insecure -``` - -## disabled opcodes crash - -Will crash when processing a disabled opcode - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.20" \ - --build-arg BITCOIN_VERSION="28.1.1" \ - --build-arg EXTRA_PACKAGES="sqlite-dev" \ - --build-arg EXTRA_RUNTIME_PACKAGES="" \ - --build-arg REPO="willcl-ark/bitcoin" \ - --build-arg COMMIT_SHA="51e068ed42727eee08af62e09eb5789d8b910f61" \ - --tag bitcoindevproject/bitcoin:99.1.0-disabled-opcodes \ - resources/images/bitcoin/insecure -``` - -## crash when 5k inv messages received - -Will crash when we receive a total of 5k `INV` p2p messages are received from a single peer. - -```bash -docker buildx build \ - --platform linux/amd64,linux/armhf \ - --build-context bitcoin-src="." \ - --build-arg ALPINE_VERSION="3.20" \ - --build-arg BITCOIN_VERSION="28.1.1" \ - --build-arg EXTRA_PACKAGES="sqlite-dev" \ - --build-arg EXTRA_RUNTIME_PACKAGES="" \ - --build-arg REPO="willcl-ark/bitcoin" \ - --build-arg COMMIT_SHA="3e1ce7de0d19f791315fa87e0d29504ee0c80fe8" \ - --tag bitcoindevproject/bitcoin:99.1.0-5k-inv \ - resources/images/bitcoin/insecure -```